Nmap 5.00 Released

July 16, 2009 -- Insecure.Org is pleased to announce the immediate,
free availability of the Nmap Security Scanner version 5.00
from http://nmap.org/. This is the
first stable release since 4.76 (last September), and the first major
release since the 4.50 release in 2007. Dozens of development
releases led up to this.

Considering all the changes, we consider
this the most important Nmap release since 1997, and we recommend that
all current users upgrade.

About Nmap

Nmap ("Network Mapper") is a free and open source
(license) utility for
network exploration or security auditing. Many systems and network
administrators also find it useful for tasks such as network
inventory, managing service upgrade schedules, and monitoring host or
service uptime. Nmap uses raw IP packets in novel ways to determine
what hosts are available on the network, what services (application
name and version) those hosts are offering, what operating systems
(and OS versions) they are running, what type of packet
filters/firewalls are in use, and dozens of other characteristics. It
was designed to rapidly scan large networks, but works fine against
single hosts. Nmap runs on all major computer operating systems, and
official binary packages are available for Linux, Windows, and Mac OS
X. In addition to the classic command-line Nmap executable, the Nmap
suite includes an advanced GUI and results viewer
(Zenmap), a flexible data
transfer, redirection, and debugging tool
(Ncat), and a utility for
comparing scan results (Ndiff).

As free software, we don't have any sort of advertising budget. So please spread the word that Nmap 5.00 is now available!

Top 5 Improvements in Nmap 5

Before we go into the detailed changes, here
are the top 5 improvements in Nmap 5:

The new Ncat tool aims to be
your Swiss
Army Knife for data transfer, redirection, and debugging. We
released a
whole users' guide
detailing security testing and network administration tasks made easy with Ncat.

The addition of the Ndiff scan
comparison tool completes Nmap's growth into a whole suite of
applications which work together to serve network administrators and
security practitioners. Ndiff makes it easy to automatically scan
your network daily and report on any changes (systems coming up or
going down or changes to the software services they are running). The
other two tools now packaged with Nmap itself are Ncat and
the much improved Zenmap GUI and results
viewer.

Nmap performance has improved
dramatically. We spent last summer scanning much of the Internet
and merging that data with internal enterprise scan logs to determine
the most commonly open ports. This allows Nmap to scan fewer ports by
default while finding more open ports. We also added a fixed-rate
scan engine so you can bypass Nmap's congestion control algorithms and
scan at exactly the rate (packets per second) you specify.

We released Nmap Network
Scanning, the official Nmap guide to network discovery and security
scanning. From explaining port scanning basics for novices to
detailing low-level packet crafting methods used by advanced hackers,
this book suits all levels of security and networking professionals. A
42-page reference guide documents every Nmap feature and option, while
the rest of the book demonstrates how to apply those features to
quickly solve real-world tasks. More than half the book
is available in the free
online edition.

The Nmap Scripting
Engine (NSE) is one of Nmap's most powerful and flexible
features. It allows users to write (and share) simple scripts to
automate a wide variety of networking tasks. Those scripts are then
executed in parallel with the speed and efficiency you expect from
Nmap. All existing scripts have been improved, and 32 new ones added.
New scripts include a whole bunch of MSRPC/NetBIOS attacks, queries,
and vulnerability probes; open proxy detection; whois and AS number
lookup queries; brute force attack scripts against the SNMP and POP3
protocols; and many more. All NSE scripts
and modules are described in the
new NSE documentation portal.

News articles and reviews

Please mail Fyodor if you see (or write) reviews/articles on the Nmap 5.00 release. Here are the ones seen so far:
Reasonably detailed (or with many comments) English articles:

Here are some Nmap and Zenmap 5.00 screen shots (click thumbnails for full resolution):

Classic command-line Nmap

Zenmap's new network topology graphing mode

Zenmap showing all discovered HTTP services

Zenmap displaying Nmap output

Change details

The Nmap Changelog
describes nearly 600 significant improvements since our last major
release
(4.50).
Here are the highlights:

Nmap Scripting Engine (NSE)

The Nmap Scripting
Engine (NSE) is one of Nmap's most powerful and flexible
features. It allows users to write (and share) simple scripts to
automate a wide variety of networking tasks. Those scripts are then
executed in parallel with the speed and efficiency you expect from
Nmap. It existed in Nmap 4.50, but has been dramatically improved:

Every script has been improved, and the number of scripts has grown nearly 50% to 59.

Other new scripts include:
asn-query—Maps IP addresses to autonomous system (AS) numbers.
auth-spoof—Checks for an identd (auth) server which is spoofing its replies.
banner—A simple banner grabber which connects to an open TCP port and prints out anything sent by the listening service within five seconds.
dns-random-srcport—Checks a DNS server for the predictable-port recursion vulnerability. Predictable source ports can make a DNS server vulnerable to cache poisoning attacks (see CVE-2008-1447).
dns-random-txid—Checks a DNS server for the predictable-TXID DNS recursion vulnerability. Predictable TXID values can make a DNS server vulnerable to cache poisoning attacks (see CVE-2008-1447).
ftp-bounce—Checks to see if an FTP server allows port scanning using the FTP bounce method.
http-iis-webdav-vuln—Checks for a vulnerability in IIS 5.1/6.0 that allows arbitrary users to access secured WebDAV folders by searching for a password-protected folder and attempting to access it. This vulnerability was patched in Microsoft Security Bulletin MS09-020.
http-passwd—Checks if a web server is vulnerable to directory traversal by attempting to retrieve /etc/passwd using various traversal methods such as requesting ../../../../etc/passwd.
imap-capabilities—Retrieves IMAP email server capabilities.
mysql-info—Connects to a MySQL server and prints information such as the protocol and version numbers, thread ID, status, capabilities, and the password salt.
pop3-brute—Tries to log into a POP3 account by guessing usernames and passwords.
pop3-capabilities—Retrieves POP3 email server capabilities.
rpcinfo—Connects to portmapper and fetches a list of all registered programs.
snmp-brute—Attempts to find an SNMP community string by brute force guessing.
socks-open-proxy—Checks if an open socks proxy is running on the target.
upnp-info—Attempts to extract system information from the UPnP service.
whois—Queries the WHOIS services of Regional Internet Registries (RIR) and attempts to retrieve information about the IP Address Assignment which contains the Target IP Address.

The set of new libraries is equally impressive. Modules are
all listed here (scroll down to
"Modules").

Introduced the NSE
Documentation Portal which documents every NSE script and library
included with Nmap. It is generated
from NSEDoc comments
embedded in scripts. Scripts are available for download on this site
as well. We also dramatically improved
the NSE Guide.

NSE now supports run-time interaction so you know when it will
complete, and the --host-timeout option so you can define when it
completes. Support for -S (source IP address) and --ip-options has
been added to the NSE and version detection subsystems.

Added Boolean Operators for --script. You may now use ("and",
"or", or "not") combined with categories, filenames, and wildcarded
filenames to match a set of files. A
new default
category includes the scripts which run by default when NSE is
requested.

NSE can now be used in combination with ping scan (e.g. "-sP
--script") so that you can execute host scripts without needing to
perform a port scan.

Zenmap graphical front-end and results viewer

Zenmap is a
cross-platform (Linux, Windows, Mac OS X, etc.) Nmap GUI and results
viewer which supports all Nmap options. It aims to make Nmap easy for
beginners to use while providing advanced features for experienced
Nmap users. Frequently used scans can be saved as profiles to make
them easy to run repeatedly. A command creator allows interactive
creation of Nmap command lines. Scan results can be saved and viewed
later. Saved scan results can be compared with one another to see how
they differ. The results of recent scans are stored in a searchable
database. While Zenmap already existed in Nmap 4.50, it has improved dramatically since then:

While Nmap stands for “Network Mapper”, it hasn't been
able to actually draw you a map of the network—until now! The
new Zenmap Network
Topology feature provides an interactive, animated visualization
of the hosts on a network and connections between them. The scan
source is (initially) in the center, with other hosts on a series of
concentric circles which represent the number of hops away they are
from the source. Nodes are connected by lines representing discovered paths between them. Read the full details (and oogle the pretty pictures)
in our article
on Surfing the
Network Topology. Topology views can be saved as a PNG, postscript, PDF, or SVG image.

The scan
aggregation feature allows you to combine the results of many Nmap
scans into one view. When one scan is finished, you may start another
in the same window. Results of the new scan are seamlessly merged
into one view.

Overhauled the default list of scan profiles to provide a much
more diverse and useful set of default profile options. If users
don't like any of these canned scan commands, they can easily create
their own in the Profile Editor.

Added a context-sensitive help system to the Profile
Editor. Mouse-over options to learn more about what
they do and their argument syntax.

Added advanced
search functionality to Zenmap so that you can locate previous
scans using criteria such as which ports were open, keywords in the
target names, OS detection results, etc. Try it out with Ctrl-F or
"Tools->Search Scan Results".

And more: An animated throbber has been added to indicate that a scan is running, and a new cancel button lets you stop a scan in its track. The Nmap output window now scrolls automatically, and ports are colored based on open/closed state.

Nmap 5 introduces Ncat, a
general-purpose command-line tool for reading, writing, redirecting,
and encrypting data across a network. It aims to be your
network Swiss
Army knife, handling a wide variety of security testing and
administration tasks. Ncat is suitable for interactive use or as a
network-connected back end for other tools. Ncat can:

Act as a simple TCP/UDP/SSL client for interacting with web
servers, telnet servers, mail servers, and other TCP/IP network
services. Often the best way to understand a service (for fixing
problems, finding security flaws, or testing custom commands) is to
interact with it using Ncat. This lets you you control every character
sent and view the raw, unfiltered responses.

Act as a simple TCP/UDP/SSL server for offering services to
clients, or simply to understand what existing clients are up to by
capturing every byte they send.

Redirect or proxy TCP/UDP traffic to other ports or hosts. This
can be done using simple redirection (everything sent to a port is
automatically relayed somewhere else you specify in advance) or by
acting as a SOCKS or HTTP proxy so clients specify their own
destinations. In client mode, Ncat can connect to destinations through
a chain of anonymous or authenticated proxies.

Run on all major operating systems. We distribute Linux,
Windows, and Mac OS X binaries, and Ncat compiles on most other
systems. A trusted tool must be available whenever you need it, no
matter what computer you're using.

Encrypt communication with SSL, and transport it over IPv4 or
IPv6.

Act as a network gateway for execution of system commands, with
I/O redirected to the network. It was designed to work like the Unix
utility cat, but for the network.

Act as a connection broker, allowing two (or far more) clients
to connect to each other through a third (brokering) server. This
enables multiple machines hidden behind NAT gateways to communicate
with each other, and also enables the simple Ncat chat mode.

These capabilities become even more powerful and versatile when combined.

Ncat is our modern reinvention of the venerable Netcat (nc) tool
released by Hobbit in 1996. While Ncat is similar to Netcat in spirit,
they don't share any source code. Instead, Ncat makes use of Nmap's
well optimized and tested networking libraries. Compatibility with the
original Netcat and some well known variants is maintained where it
doesn't conflict with Ncat's enhancements or cause usability
problems. Ncat adds many capabilities not found in Hobbit's original
nc, including SSL support, proxy connections, IPv6, and connection
brokering. The original nc contained a simple port scanner, but we
omitted that from Ncat because we have a preferred tool for that
function.

Nmap has been doing host discovery and port scanning since its release in '97, but we continue to improve this core functionality. We've added many new features and dramatically improved performance! Here are the biggest enhancements since 4.50:

Nmap now scans the most common 1,000 ports by default in either
protocol (UDP scan is still optional). These were determined by
spending months scanning tens of millions of IPs on the
Internet. This makes Nmap faster (used to scan 1,715 TCP ports by
default) and yet more comprehensive since the smaller number of
ports are better chosen.

Nmap fast scan (-F) now scans the top 100 ports by default in
either protocol. This is a decrease from 1,276 (TCP) and 1,017 (UDP)
in Nmap 4.68. Port scanning time with -F is generally an order of
magnitude faster than before, making -F worthy of its "fast scan"
moniker.

The --top-ports option lets you specify the number of ports you
wish to scan in each protocol, and will pick the most popular ports
for you based on the new frequency data. For both TCP and UDP, the
top 10 ports gets you roughly half of the open ports. The top 1,000
(out of 65,536 possible) finds roughly 93% of the open TCP ports and
more than 95% of the open UDP ports.

Added a new --min-rate option that allows specifying a minimum
rate at which to send packets. This allows you to override Nmap's
congestion control algorithms and request that Nmap try to keep at
least the rate you specify. A complementary --max-rate option was
added as well. They
are documented
here.

Added SCTP port
scanning support to Nmap. Stream control transmission protocol is a
layer 4 protocol used mostly for telephony related applications.
This brings the following new features:

The server
scanme.csnc.ch has
been set up for your SCTP scan testing pleasure. But note that
SCTP doesn't pass through most NAT devices.

David spent more than a month on algorithms to improve port
scan performance while retaining or improving accuracy. The changes,
described here,
reduce our "benchmark scan time" (which involves many
different scan types from many source networks to many targets) from
1879 seconds to 1321 without harming accuracy. That is a 30% time
reduction! Fyodor made a number of performance improvements as well.

The host discovery (ping probe) defaults have been enhanced to
include twice as many probes. The default is now "-PE -PS443 -PA80
-PP". In exhaustive testing of 90 different probes, this emerged as
the best four-probe combination, finding 14% more Internet hosts
than the previous default, "-PE -PA80". The default for non-root
users is -PS80,443, replacing the previous default of -PS80. In
addition, ping probes are now sent in order of effectiveness (-PE
first) so that less effective probes may not have to be sent. ARP
ping is still the default on local ethernet networks.

Fixed an integer overflow which prevented a target
specification of "*.*.*.*" from working. Support for the CIDR /0 is
now also available for those times you wish to scan the entire
Internet.

When Nmap finds a probe during ping scan which elicits a
response, it now saves that information for the port scan and later
phases. It can then "ping" the host with that probe as necessary to
collect timing information even if the host is not responding to the
normal port scan packets. Previously, Nmap's port scan timing pings
could only use information gathered during that port scan itself. A
number of other "port scan ping" system improvements were made at the
same time to improve performance against firewalled hosts
(full
details).

Fyodor's Nmap book

Fyodor released
Nmap Network Scanning: The Official
Nmap Project Guide to Network Discovery and Security Scanning.
From explaining port scanning basics for novices to detailing
low-level packet crafting methods used by advanced hackers, this
book suits all levels of security and networking professionals. A
42-page reference guide documents every Nmap feature and option,
while the rest of the book demonstrates how to apply those features
to quickly solve real-world tasks. It was briefly the #1 selling
computer book on Amazon. More than half of the book is already
free online.

A German
translation
is available
from Open Source Press; Korean and Brazilian Portuguese
translations
are forthcoming.

Operating system detection

Thanks to fingerprint submissions from thousands of Nmap users
around the world, the 2nd
generation OS detection database has nearly doubled in size since
4.50 to 2,003 entries. These include the latest versions of Windows,
Linux, and Mac OS X as well as more specialized entries such as
oscilloscopes, ATM machines, employee timeclocks, DVRs, game consoles,
and much more. Keep those submissions coming!

In addition to doubling the database size, we enhanced the OS
detection engine and its tests to improve accuracy. For example, we
added a new SEQ.CI test (IP ID sequence generation from closed TCP
port) and removed the U1.RUL, U1.TOS, IE.DLI, IE.SI, and IE.TOSI
tests.

Version detection

Nmap's version detection
system interrogates open ports to determine what service
(e.g. http, smtp) is running and often the exact application name and
version number. The version detection database grew by nearly a
thousand signatures. It grew from 4,558 signatures representing 449
protocols in Nmap 4.50 to 5,512 signatures for 511 protocols in
5.00. You can read about Doug's signature creation
adventures here, here,
and here. The service
protocols with the most signatures are http (1,868), telnet (584), ftp
(506), smtp (363), pop3 (209), http-proxy (136), ssh (123), imap
(122), and irc (48). Among the protocols with just one signature
are netrek,
gopher-proxy, ncat-chat,
and metasploit.

Ndiff scan comparison tool

The new Ndiff utility compares the results of two Nmap scans and
describes the new/removed hosts, newly open/closed ports, changed
operating systems, or application versions, etc. This makes it
trivial to scan your networks on a regular basis and create a report
(XML or text format) on all the changes. See the
Ndiff man page
and home page for more
information. Ndiff is included in our binary packages and built by
default, though you can prevent it from being built by specifying
the --without-ndiff configure flag.

Here are excerpts from an Ndiff comparison between two scans for the Facebook network:

Nmap has moved. Everything at http://insecure.org/nmap/ can now be
found at http://nmap.org . That should save your fingers from a
little bit of typing.

A copy of the Nmap public svn repository (/nmap, plus its
zenmap, nsock, nbase, and ncat externals) is now available at
http://nmap.org/svn/. We update this regularly, but it may be
slightly behind the SVN version. It is particularly useful when you
need to link to files in the tree, since browsers generally don't
handle svn:// repository links.

Portability enhancements

Nmap's dramatic improvements are of little value if it doesn't run
on your system. Fortunately, portability has always been a high
priority. Nmap 5.00 runs on all major operating systems, plus the
Amiga. Portability improvements in this release include:

A Mac OS X Nmap/Zenmap installer is now available from the Nmap
download page. It is rather straightforward,
but detailed
instructions are available anyway. As a universal installer, it
works on both Intel and PPC Macs. It is distributed as a disk image
file (.dmg) containing an mpkg package. The installed Nmap include
OpenSSL support and also supports Authorization Services so that
Zenmap can run as root when necessary.

The new --stats-every option takes a time interval that
controls how often timing status updates are printed. It is useful
when Nmap is run by another program as a subprocess, or if you just
like frequent timing updates.

Completion time estimates provided in verbose mode or when you hit a
key during scanning are now more accurate.

The nmap-dev and nmap-hackers mailing list RSS feeds at SecLists.Org
now include message excerpts to make it easier to identify
interesting messages and speed the process of reading through the
list. Feeds for all other mailing lists archived at SecLists.Org
have been similarly augmented (details).

Fixed an integer overflow in the scan progress meter. As an
Nmap user, few things are more discouraging than seeing your estimated
completion time rise so high that it goes negative.

Nmap's output options (-oA, -oX, etc.) now support
strftime()-like conversions in the filename. %H, %M, %S, %m, %d, %y,
and %Y are all the same as in strftime(). %T is the same as %H%M%S,
%R is the same as %H%M, and %D is the same as %m%d%y. So means that
"-oX 'scan-%T-%D.xml'" uses an XML file in the form of
"scan-144840-121307.xml".

Removed Brazilian poetry/lyrics from Zenmap source code
(NmapOutputViewer.py). We've seen enough of it in the debug logs. "E nao se entrega, nao". We also removed a code comment which declared /*WANKER ALERT!*/ for no good reason.

Nmap and Nmap-WinPcap silent installation now works on Windows.
Nmap can be silently installed with the /S option to the installer.
If you install Nmap from the zip file, you can install just WinPcap
silently with the /S option to that installer.

--traceroute is now faster and more effective because it uses
the timing ping probe saved from host discovery and port
scanning. The timing ping probe is always the best probe Nmap knows
about for eliciting a response from a target.

We now have a public
TODO list describing our future plans and tasks which need work.

Google sponsored 6 college/grad students for Summer of Code 2009.
They and their ongoing projects
are introduced
here.

Nmap now builds with
the _FORTIFY_SOURCE=2
define. With modern versions of GCC, this adds extra buffer overflow
protection and other security checks.

Nmap was discovered in its eighth movie. In the Russian film
Khottabych, teenage hacker Gena uses Nmap (and telnet) to hack
Microsoft. In response, MS sends a pretty female hacker to flush
him out (more details and screen shots).

Nmap won LinuxQuestions.Org Network Security Application of the
Year for the sixth year in a row.

These release notes mostly discuss new features, but we also
made many performance enhancements and fixed a large number of bugs
which could lead to crashes, compilation failures, or other
misbehavior.

These are just highlights from the full list of changes you can
find in our CHANGELOG.

Moving Forward

With this stable version out of the way, we are diving headfirst
into the next development cycle. Many exciting features are in the
queue, including:

Ncrack, a high speed network authentication cracker

Nping, a raw packet network probing tool

High speed port scanning through http or socks proxies (or chains of proxies)

Acknowledgments

A free open source scanner as powerful as Nmap is only possible
thanks to the help of hundreds of developers and other contributors.
We would like to acknowledge and thank the many people who contributed
ideas and/or code since Nmap 4.50. Special thanks go out to:

Download and Updates

To learn about Nmap announcements as they happen, subscribe to nmap-hackers!
It is a very low volume (7 messages in 2008),
moderated list for announcements about Nmap, Insecure.org, and related
projects. You can join the 65,000 current subscribers by submitting
your e-mail address here: